[opencms-dev] DOS attacks made possible by image scaling?

Sebastian Himberger sebastian.himberger at gmx.de
Wed Jun 10 11:18:00 CEST 2009 

Hi,

regarding the limit of different image versions: Some CMS-Systems have 
something called image classes / filters which are configurable. So you 
would configure for example the class: "thumbnail-profile" and set its 
parameters. Then the image could be requested using the configured class 
/ filter name. This way you have a) central management of the image 
filters and b) prevent the attacks allowing many different parameters. 
You could configure the classes in the VFS using xmlcontent. Of course 
this would not be directly related to the problem. I think an additional 
mechanism would be required because of backwards compatability.

Maybe it would be the easiest to introduce a callback interface to hook 
into the image scaling process. This way we could implement multiple 
policies. Something like this:

interface CmsImageScalerPlugin {

  public void preGeneration(...)

  public void postGeneration(...)

}

Best regards,
Sebastian

a.westermann at alkacon.com schrieb:
> Hi Claus, Paul, Mika,
>
> thanks for bringing up this thought and sharing ideas. We had a little 
> unoffical brainstorming here too. What about another configuration 
> option to limit the maximum amount of different scaled versions for 
> every image. Normally an image will only be available in one to three 
> different versions. Another thought was to use a LRU Map for scaled 
> images and upon dropping an entry delete the scaled version. To cover 
> the CPU load in the latter possible solution the LRU Map could be 
> checked if the most recent request was for the same image and within a 
> certain time range and e.g. return an error in case of DOS detection. 
> These are only ideas for now.
>
> Turning off image scaling sounds hard but is safe. Are there any more 
> ideas on this subject?
>
> Kind Regards,
> Achim.
>
> -------------------
> Achim Westermann
>
> Alkacon Software GmbH  - The OpenCms Experts
> http://www.alkacon.com - http://www.opencms.org
>
> Visit OpenCms Days 2009 Conference and Expo
> June 15 to June 16 2009 in Cologne, Germany
> http://www.opencms-days.org
>
>
> Claus Priisholm wrote:
>   
>> Ideally the parameters should be encrypted or better yet hashed so only 
>> the combinations of parameters known to the server are accepted. There 
>> is already some of this going on as the resulting images are cached with 
>> an unique id. But it may not be easy. I haven't looked that much at the 
>> code involved.
>>
>> But there is a couple of things you can do. In the opencms-vfs.xml you 
>> can disable the function by setting image.scaling.enabled = false.
>> And, if you need it, you can set the image.scaling.maxsize to whatever 
>> is the maximum you need, Often I find that the function is only used for 
>> making thumbnails and in that case you may get away with a maxsize = 64 
>> pixels or likewise rather than the default 1500 pixels. At least that 
>> helps minimize the severity of a DOS attempt
>>
>> Paul-Inge Flakstad wrote:
>>     
>>> Hi Mika
>>>  
>>> This was a very interesting post, raising questions on an issue I 
>>> haven't even thought about. I'm really looking forward to hear what the 
>>> experts have to say about this.
>>>  
>>> Cheers,
>>> Paul
>>>
>>>     ------------------------------------------------------------------------
>>>     *From:* opencms-dev-bounces at opencms.org
>>>     [mailto:opencms-dev-bounces at opencms.org] *On Behalf Of *Mika Salminen
>>>     *Sent:* 9. juni 2009 21:42
>>>     *To:* opencms-dev at opencms.org
>>>     *Subject:* [opencms-dev] DOS attacks made possible by image scaling?
>>>
>>>     Hello,
>>>
>>>     OpenCms image scaling with request parameters (I.E.
>>>     http://your.url/image.jpeg?__scale=w:50,h:50) is nice feature and
>>>     allows for example easy thumbnail generation. But I believe that it
>>>     provides multiple possibilities for a malicious user to play around.
>>>
>>>     Basic attacks could possibly be done as easily as just requesting
>>>     the image with many different parameters many times in a row.
>>>
>>>     For example:
>>>
>>>     http://your.url/image.jpeg?__scale=w:1,h:1
>>>     http://your.url/image.jpeg?__scale=w:1,h:2
>>>     http://your.url/image.jpeg?__scale=w:1,h:3
>>>     ...
>>>     http://your.url/image.jpeg?__scale=w:1024,h:767
>>>
>>>     This would cause OpenCms to create and write to cache a new version
>>>     of the image (of course if image with given parameters does already
>>>     exist in cache it is not recreated).
>>>
>>>     Introduced kind of attack could cause performance problems for the
>>>     server (I assume that the image processing is not very cheap), but
>>>     it can also cause nasty things to happen in cache. For example if
>>>     there is a published 1024x768 JPEG image on a OpenCms website
>>>     malicious user can request for all the 1024*768=786432 size
>>>     variations of the image thus creating ~14GB data to disk
>>>     (Assumptions: 1byte/pixel, average JPEG compression ratio 1:10. You
>>>     can check my calculations in attached java code). And of course if
>>>     there are more than one image on the site, attack can be done for
>>>     them too (other resize parameters could work too, haven't checked...).
>>>
>>>     The point is that creating large amounts of data to cache is easily
>>>     possible for malicious users. Filling the disk can in many cases put
>>>     down the whole server.
>>>
>>>     At least partial resolution for this problem could be limiting the
>>>     image cache size and making it for example LRU style (I could not
>>>     find that limiting is done already). This does not of course prevent
>>>     possible performance DOS attack and also the cache could be rendered
>>>     useless by the attacker.
>>>
>>>     Other options I could think of seem more complicated and would
>>>     probably require the available image sizes to be known before render
>>>     time.
>>>
>>>     So tell me what you think about all this? Am I correct or do I miss
>>>     something?
>>>
>>>     -Mika
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list
>>> To change your list options, or to unsubscribe from the list, please visit
>>> http://lists.opencms.org/mailman/listinfo/opencms-dev
>>>       
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
>

More information about the opencms-dev mailing list